Zeus Panda

If Zeus Panda slithers into your operating system, it can do a lot of damage. This infection is dubbed as a Banking Trojan, which gives away that it is targeted at banking information. When this infection gets in, it silently records information pertaining to your banking information. If this data is collected successfully, schemers get the chance to hijack banking accounts and perform illegal transactions or even empty them out. Needless to say, this Trojan is a great threat to your virtual and financial security, which is why it must be taken seriously. The problem is that identifying and then deleting this malware is not the easiest of tasks. In fact, removing Zeus Panda manually is quite the challenge. That being said, this threat must be eliminated from the operating system, and that is not a task that can be postponed. Whether or not you have already found this devious Trojan, please continue reading to learn all about it.

It is very important to talk about the distribution of Zeus Panda. According to our research, this Trojan can be spread using exploit kits and phishing attacks. For example, the HookAds campaign is currently used for the distribution of this malicious banking Trojan. In the past, this campaign was used for the distribution of a different threat, Dreambot; however, right now it switched to dispersing Zeus Panda. This threat is a new variant of the infamous Zeus Trojan, an infection that has been used in many different ways (e.g., to install CryptoLocker Ransomware), but, of course, it is best known as a banking Trojan. The source-code of this malware became available back in 2011, and since then, different parties have exploited it in different ways. The Trojan discussed in this report is all about collecting information, and besides recording banking credentials it is believed to collect data regarding the infected system as well. This infection is targeted at all Windows operating systems starting with the XP version, and it can affect all major browsers compatible with it. Unfortunately, this threat is very stealthy, and finding and removing it is very problematic.

Before Zeus Panda launches itself, it silently performs certain checks to see if the execution should be initiated. For example, the threat deletes itself if it discovers after checking the keyboard layout that Russian, Ukrainian, Belarusian, or Kazakh languages are used. If the environment is right, the Trojan silently looks for a location to land. It is always in the %APPDATA% directory, and the threat checks for an empty folder with a path that has 140 characters and that does not contain certain strings in the name. When our malware researchers were analyzing the devious Zeus Panda, it landed in the %AppData%\Mozilla\Firefox\Profiles\1a3utp72.default\storage\default\ folder. The name of the executable was “winlog.exe”. Afterward, the infection copied itself to a different directory, and multiple files with random extensions were created. These files are believed to be used for storing data. Additionally, the infection created a POE (point of execution) in the Windows Registry (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) to ensure that it could be activated every time the system was started/logged into. Needless to say, the infection is messy, and identifying and removing its components can be tough. The good news is that you do not need to do it all on your own.

We cannot provide you with accurate instructions that would help you delete Zeus Panda manually because this threat can be dropped anywhere, it then can be executed in any folder under %APPDATA%, and its copy could be placed anywhere. Because of this, we do not recommend removing Zeus Panda manually. Instead, it is highly suggested that you install strong, up-to-date, reputable anti-malware software. It will automatically erase all malicious components, and since there might be an unknown number of items that require elimination, this truly is the greatest option. Furthermore, anti-malware software is created to ensure protection, which, of course, is crucial if you want to keep your operating system protected in the future. Once the Trojan is eliminated and the system is protected, it is important that you check your banking accounts for any unauthorized transactions. It is also crucial that you contact your bank to see what other security measures you should take to prevent unauthorized activity. Do you still have questions? Add them in the comments section below.